Technical Field
This disclosure relates generally to the field of digital resource access, and more particularly to risk-based computer recertification of online access.
Background of the Related Art
Identity and Access Management Governance is a set of processes and policies for organizations to manage risks and maintain compliance with regulations and policies by administering, securing, and monitoring identities and their access to applications, information, and systems. Although potentially complex in implementation, the concept of Identity and Access Management (IAM) Governance is fairly straightforward: determine who should have access to what resources and who should not, according to government regulations, industry-specific regulations (SOX, HIPPA, GLBA, etc.), and business regulations and guidelines. Typically, key aspects of IAM Governance include access request governance, entitlement certifications, reports and audits, and analytics and intelligence (including role management, entitlement management, separation of duties enforcement, and privileged identity management). An end-to-end IAM Governance solution may also provide related functions, such as access enforcement, user provisioning, password management, and user lifecycle management.
Identity and access management (IAM) systems protect enterprise data and applications with context-based access control, security policy enforcement and business-driven driven identity governance. These systems may be operated in a standalone manner, in association with cloud-based environments, or in hybrid environments.
Automated systems for IAM health checking detect identity-centric risks within a governance system by scanning for one or more weakness patterns, such as too many Admins configured, account sharing, or cloning of access permissions. While detecting these and other such conditions provides useful information, known detection mechanisms are time-consuming and require large amounts of data to be read or extracted from multiple systems being governed. The problems associated with data collection in this context are exacerbated by the existence of multiple detection algorithms that may be available for evaluating a particular risk, and because detection algorithms have different levels of reliability as well as different data requirements. As a consequence, known IAM health checking techniques tend to operate with missing or imperfect data, or using algorithms that do not always fit the available data. Moreover, a best algorithm for a particular job typically cannot be pre-configured.
Known implementations that require a fixed set of data to detect vulnerabilities are not flexible, and they are incapable of detecting vulnerabilities using different strategies based on available data.